hacked website?

D

dovij

Well-Known Member
Joined
Jul 29, 2007
Messages
140
Reaction score
0
Location
Johannesburg, South Africa
Hi

So I hope someone can help me here, something has happened to my website that's quite worrying! So here's the story:

First some specs:
It's osCommerce based, with quite a few add-ons and contributions, hosted with serve.co.za.
If anyone wants to help, they can view the stuff I'm talking about at www.digibuy.co.za

I'm busy developing an e-commerce store, and I just reached the stage where I'm trying to submit my products to jump.co.za for listing. However, they told me that the feed they're getting has some weird links on it, corrupting the xml file. So I started investigating my sites source code from my Win7 computer, and nothing came up! However when I move to XP mode, or an XP computer, and view the page's source code, at the bottom between the last <br> and </body> there is a whole list of links that I didn't out there! Additionally, every time the page is refreshed, there is a different set of links. This leads me to believe it is somehow pulling the data from another website.

Now, I've spent the last several hours going through the code very finely, but I can't find anything. I'm not an expert in php and html, but I know enough to know that something is seriously wrong! Either the code is lurking somewhere that I missed, Serve.co.za's servers are compromised and is inserting data into the end of all the pages it host, or there's a little orange gremlin hiding in my webpage messing it up.... :confused:

I really hope that someone can help me fix this problem, and ask (nicely, of course) that anyone with technical skills gives my problem some thought!

Dovi
 
Um... yeah.. its php, the "view source" you are looking at is the rendered page. Its not the actual code. Though looking through the rendered code it looks like you might have a problem.

Are you running the latest version of OSCommerce?

Theres probably some exploit in an out dated version of OScommerce
 
Last edited:
Sounds similar to an issue I had a couple months back. My boss' pc was compromised through IE6 (we'd use it for testing the web pages we built) and the ftp details for our clients were taken from Filezilla. Then what happened was that the hacker had an automated prog that would download the original index.php file and then re-upload it with malware links at the bottom of the page.

Maybe you're having the same issue? We changed all our ftp usernames and passwords. Needless to say it was an extremely long process with over 80 accounts.
 
Oh my, I just discovered how I was hacked... there's this little bit of code on top of a whole lot of my pages: <?php /**/eval(base64 followed by a long string of alphaneumerics...
So now, I have to go through all my files (it's better than redoing the whole site) and making sure all my permissions are set correctly, and changing all my passwords!
 
Make sure your version of OSCommerce is up to date. Seriously. Or they will probably just change the code again.
 
Looks like that website has had code injection. You would need to carefully examine the site files and database and remove all traces, as well as clean all systems that have FTP access. You could also do a re - install and scour over the database records before re - applying them.
 
Venom Rush said:
Sounds similar to an issue I had a couple months back. My boss' pc was compromised through IE6 (we'd use it for testing the web pages we built) and the ftp details for our clients were taken from Filezilla. Then what happened was that the hacker had an automated prog that would download the original index.php file and then re-upload it with malware links at the bottom of the page.

Maybe you're having the same issue? We changed all our ftp usernames and passwords. Needless to say it was an extremely long process with over 80 accounts.
Click to expand...

Know someone who had a similar issue as well.
 
We used to have the same issue. You need to change ftp password first. Make it very complex. Then use a freeware search and replace tool, to search all php files for the hack. Use a keyword found in all the extra code, remove all. Reupload. GL
 
I had something like this happen to me years ago and realised I had forgot to put a password on my admin folder. Anyone could gain access! I even googled the admin footer string and found a whole number of sites that forget to put a password on the admin folder.

I protected it from the cpanel admin area. Once you have admin access you can upload files, change code, get access to client details etc. I found a backdoor script (which i still have!) that once uploaded can pretty much take over all your hosting commands.

The file was saved as something like picture.gif.php and was in the images folder.
 
G1mpz said:
We used to have the same issue. You need to change ftp password first. Make it very complex.
Click to expand...

Making it the most complex password in the world won't make a difference as the malware simply steals your FileZilla site manager file (which stores all your FTP passwords in plain text) and you're open to attack. You need to ensure you have a decent (up to date) anti-virus installed.
 
Thanks so much for all the feedback! TG, I was able to clean out all the hacked files (essentially all of the .php files on the server) and I tracked down the actual file they were referencing and deleted that. Now it's all up and running again! They way it got in (I think), was that someone uploaded an "upgrade" to a contribution for osCommerce, and bundled it in, either maliciously, or because they were infected, and it sneaked in through there.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X